Addressing the Complexity of the IoT
By Christine Hertzog and Galen Rasche, EPRI
A United States Computer Emergency Readiness Team (US-CERT) alert released in March confirmed what was long suspected: Utility grids in the U.S. and around the world were subject to ongoing, persistent, and in some cases, successful cyberattacks from unfriendly nation-states and other well-funded malicious actors. The alert provided descriptions of attack phases, specifics on compromised systems, and recommended countermeasures for critical infrastructure. Its publication heightens the urgency for utilities to examine and assess cybersecurity risks to their grid operations and prioritize mitigations to ensure continued grid reliability. But grid reliability is no longer the only raison d’etre for utility cybersecurity.
Increasing Threats and Complexity Drive Need for CyberSecurity Strategy
Cybersecurity risk management is a complex challenge for utilities for any number of technology, policy or resource reasons. These risks increase as:
“- More grid equipment is communications-enabled to support remote monitor and control capabilities as part of advanced grid initiatives.
“- More distributed energy resources (DER) with smart inverters on solar and energy storage assets are deployed in distribution grids.
“- Communications-enabled DER equipment increases the utility attack surface that must be protected.
“- Many DER assets are owned by third parties instead of utilities. A lack of direct utility control creates new complications to securing grid operations because these third parties may not exercise the same rigor in their cybersecurity policies or they might perform different practices than utilities.
“- Cost pressures cause utilities to place a greater reliance on cloud-based services, which adds another layer of ecurity concerns.
For utilities, it’s all about protecting the systems and their respective datasets, detecting incidents and abnormalities when they occur and responding in ways that support the overall resiliency of the system.
For example, some advanced grid initiatives focus on creating data from new and existing devices and transporting that data to inform real-time decisions and historical analyses. If that data can be compromised at any stage from creation to consumption, then it’s a cybersecurity issue.
Different CyberSecurity Considerations Needed for IIOT and Iot
A thorough delineation of utility cybersecurity data risks must address the distinctions between the Industrial Internet of Things (IIoT) and the Internet of Things (IoT) to ensure that all stakeholders—utilities, technology and service vendors, policy-makers and consumers—understand roles and responsibilities in ensuring grid security.
The Electric Power Research Institute (EPRI) Cybersecurity research program defines IoT as a collection of consumer-operated embedded devices, technologies and services connected through a public internet. These can be machine-to-human (M2H) or machine -to-machine (M2M) types of networks. A smart home application like a programmable lock or smart thermostat is an example of the IoT.
In contrast, EPRI’s definition of IIoT is: A collection of embedded devices, technologies and services connected through a public or private internet for industrial applications characterized by data volume, variety, velocity and veracity requirements that often far exceed IoT application needs. In short, the IIoT is a convergence of IoT, information and communications technologies and operational technology (OT) environments for applications in industrial control systems.
For utilities, networks that connect DER assets for monitor and control functions are examples of IIoT. But as utilities revise business processes, there’s an IoT/IIoT convergence that poses special cybersecurity challenges too. The networks of aggregated devices enrolled in demand response programs and IoT applications may also be used by utilities or third parties to modulate energy consumption and have an interface to the utility’s network. This is a perfect example of a convergence of an IoT use case with a utility IIoT. The grid edge is an environment full of IoT/IIoT convergences.
Table 1, established by EPRI, illustrates key distinctions between IIoT and IoT data from the lens of utility cybersecurity risk assessment. The four data attributes define the value of data. If data veracity is compromised, data value is extinguished. If data volumes or velocities are constrained, data value is diminished.
Mitigating CyberSecurity Risks in IIoT and IoT Environments
Utilities have significant challenges ahead to reduce cybersecurity risks to their grids, but fortunately there are proven tactics to assist in those efforts. Cybersecurity architectures, standards, technologies, policies and practices tailored for utility IT/OT and IIoT/IoT environments can be used to identify and reduce risks and improve overall cybersecurity.
EPRI’s cybersecurity research equips utilities with knowledge to develop roadmaps that describe the ideal future state and enable objective identification of gaps. Technology, policy/process or resource activities can then be planned and deployed to achieve objectives. The collaborative research methodology enables utilities to share lessons learned and reduce tactical risks and costs.
EPRI’s research includes work on utility security metrics to measure current state and progress in security postures. These metrics reflect operational, tactical and strategic views developed by consensus with utilities. The operational and tactical metrics are of particular value to security operations centers to improve their overall situational awareness. Strategic metrics enable executives to make informed decisions about investments in technology, processes and resources.
EPRI’s work on security architectures provides utilities with guidance on selection and deployment of solutions and processes using standardized policies, processes, protocols and interfaces. The devices that communicate with any utility may range from thousands to millions, and automation of routine security tasks will be critical. Having the right architecture in place is essential.
Device authentication is the process of identifying and verifying the identity of a person or system. Currently, it’s a significant challenge for utilities dealing with DER integration and the IoT/IIoT convergence of consumer-owned devices that participate in load management programs. EPRI’s cybersecurity research program is reviewing utility options to authenticate devices for a variety of use cases.
There are many other questions that utility CISOs, CSOs, CIOs and directors in IT and operations confront every day. These include:
“- How to ensure cybersecure cloud-based operations?
“- What are the appropriate use cases for data-in-transit encryption?
“- Which technologies meet utility needs in intrusion detection and intrusion prevention, and are there technology gaps?
EPRI’s researchers are continuously working with a broad range of global, investor-owned, generation and transmission, municipal, and rural cooperative utilities to investigate these challenges and answer these questions.
Cybersecurity is the 21st century challenge for utilities, because the electric, gas and water sectors are increasingly dependent on reliable, resilient, flexible and secure networks to transport and store data for grid operations and support the analytics requirements for a wide range of stakeholders. Grid reliability is important, but it’s not the only reason to invest in comprehensive cybersecurity strategies. The rapid pace of change in IIoT and IoT environments is creating new sets of challenges for utilities.
EPRI’s cybersecurity research program focuses on emerging threats to utilities through multidisciplinary and collaborative research on technologies, standards and business processes. For more information, contact .
Christine Hertzog is a technical advisor for information and communications technologies (ICT) and cybersecurity at the Electric Power Research Institute (EPRI). She works with utilities to resolve the unique and complex challenges of grid modernization initiatives by leveraging tools and deliverables from EPRI’s collaborative R&D programs in ICT and cybersecurity. She also helps shape ICT and cybersecurity R&D directions.
Galen Rasche is a senior program manager in the power delivery and utilization (PDU) sector at the Electric Power Research Institute (EPRI), managing the cybersecurity program. This program performs applied research in the areas of protective measures, threat management and information assurance. Rasche earned a master of science dergree in electrical engineering from the University of Illinois at Urbana-Champaign and a MBA and bachelor of science degree in electrical engineering from the University of Kentucky.